Why passwords are failing to keep systems secure
When designing a system, using passwords to protect access might be the first thing you think of. However, this is rarely enough to secure sensitive information.
This is due to the fact that the human memory is not good enough to remember a strong password and most passwords that are easy to memorise are also easy to guess. For example, it has been found that people generally pick things like their date of birth, the name of a relative, pet’s name, etc. Each of these things may be easy to remember, but they are also easy for someone who knows the user (or who has seen their social media account) to guess. It has also been documented that more than 50% of people use the top 25 most common passwords, a list that includes passwords such as ‘123456’, ‘qwerty’ and ‘111111’. Using any one of these would make it incredibly easy for a would-be hacker.
Organisations and website owners can take measures to prevent users from choosing weak passwords, but this is not without it's problems. If a user is forced to have a particularly strong, and therefore hard to memorise, password it is very likely that they will either use it repeatedly for anything that requires a strong password, or they will forget it.
This usually means that when a user has to remember a difficult password, they write it down and leave it on their desk or monitor, for example. Others use their mobile devices to store passwords, which in itself might not sound like such a risk, but most users do not think it necessary for their mobile phone to have the security required for such a task.
A recent survey of internet users based in the UK and US found that companies lose about £261 per person on password retrieval per year, so expecting users to remember password looks like a bad idea. But if users cannot record their passwords on paper nor on their phone, what should they do? There is software that can be purchased to help track passwords, but they must be backed up securely and regularly. Additionally, if the computer the software is on fails, or is hacked, then they potentially have to reset all their passwords.
With passwords being either too hard to remember for the user or too easy to guess by a hacker, authentication based on "something you know" is dead. It is now time to transition to authentication methods that rely on who you are, called biometric authentication. It has long been noted that using biometrics is considered the way forward because it relies on physical traits of the user that they cannot forget or lose.
New biometric authentication will eliminate the risks associated with using a password, increase security and will also improve productivity.